HHS final rule requires HIPAA compliance changes for reproductive health care information

Melissa Bianchi, Donald DePass, Alyssa Golay, Melissa Levine, Fleur Oké, Marcy Wilder
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

The HIPAA Privacy Rule has been modified by the US Department of Health and Human Services (HHS) to increase privacy protections for reproductive health care information. These changes, which will take effect in early 2026, prohibit the use and disclosure of reproductive health care information for an investigation, prosecution or identification of individuals who obtain or provide legal reproductive health care.  HIPAA-regulated entities will be required to: (1) update their Notices of Privacy Practices; (2) obtain attestations in connection with certain requests for reproductive health care information and (3) update their HIPAA policies and training.

Key Changes to HIPAA Privacy Requirements

Prohibits Certain Disclosures of Reproductive Health Care Information to Law Enforcement

The final rule prohibits the use or disclosure of PHI to support the investigation, prosecution or identification of individuals who seek, obtain, provide or facilitate lawful reproductive health care1 (the “Prohibited Purposes”). Our prior post outlined key proposed changes in the notice of proposed rulemaking (“NPRM”), following the rise of uncertainty around reproductive health care as a result of the U.S. Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization.

Presumes that Care Provided was Lawful

The final rule includes a presumption that reproductive health care was lawful, unless certain conditions are met. These include the recipient of the request having actual knowledge that the care was not lawful, or where factual information is presented by the requestor that provides a substantial factual basis that the care was not lawful.

Requires a Signed Attestation

The final rule requires that when HIPAA-regulated entities receive requests for reproductive health care information, they must obtain a signed attestation from the requestor that the intended use or disclosure of that information is not for a Prohibited Purpose. The attestation requirement applies only if the request is for (1) law enforcement purposes, (2) judicial and administrative proceedings, (3) health oversight activities, or (4) disclosures to coroners and medical examiners. An attestation will be limited to the specific use or disclosure, therefore, each use or disclosure request for reproductive health care information will require a new attestation. The final rule includes required elements for a valid attestation and HHS intends to publish model attestation language before the compliance date of the final rule.

Imposes Mandatory Updates to Notice of Privacy Practices

The final rule requires HIPAA-regulated entities to revise their Notices of Privacy Practices (“NPPs”) to support reproductive health care privacy. Specifically, NPPs must be updated to include a description and an example of the Prohibited Purposes with sufficient detail for an individual to understand the prohibition and the types of uses and disclosures of PHI that require an attestation. The final rule also includes requirements for entities that create or maintain Substance Use Disorder (“SUD”) patient records (i.e., “Part 2” records) to update their NPPs to reflect permitted and prohibited uses and disclosures of such records. We discussed HHS’s final rule regarding Part 2 records in this previous post.  

To prevent attempts to use other HIPAA provisions that allow the use or disclosure of PHI to justify uses and disclosures of reproductive health information for Prohibited Purposes, the final rule clarified the scope of certain permitted purposes, including:

  • Uses and disclosures of PHI for public health activities. The final rule adopts a new definition of “public health” that makes clear that permissible public health activities are population-level activities and do not include uses of PHI to conduct an investigation, impose liability on, or identify any person for seeking, obtaining, providing, or facilitating health care.

  • Disclosures of PHI to report cases of abuse or neglect. The final rule prohibits regulated entities from using or disclosing PHI to report abuse or neglect when the sole basis for the report is the provision or facilitation of reproductive health care. This provision differs from the proposed rule, where disclosure of PHI for reporting abuse was prohibited when the report is based primarily on the provision of reproductive health care.

Penalties

A person who knowingly and in violation of HIPAA falsifies an attestation (e.g., makes a material misrepresentation about the intended uses of the PHI requested) to obtain (or cause to be disclosed) an individual’s reproductive health care information could be subject to criminal penalties.

Compliance Timeline and Next Steps

The effective date of the rule is 60 days after the date of publication in the federal register, which is scheduled to be April 26, 2024. The compliance date is 240 days after the date of publication in the federal register, except for the applicable requirements for the NPPs which go into effect on February 16, 2026. The phased roll out allows organizations to evaluate how the new requirements may impact their operations, identify what public-facing and internal materials may be affected, and update accordingly.

Steps organizations can take now include:

  • assessing what information and activities may be in scope for these requirements;

  • confirming what processes are needed to provide additional safeguards for reproductive health care information in light of the new requirements;

  • identifying and updating internal policies, procedures, and practices for responding to law enforcement or third-party requests for PHI, data handling, and permitted/prohibited uses and disclosures that may include reproductive health care information;

  • revising their Notices of Privacy Practices;

  • drafting applicable forms, including attestation templates, and response procedures for responding to requests; and

  • training workforce members on the new requirements and updated process.

References

1 “Reproductive health care” is defined as health care, under HIPAA, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.”  In line with the NPRM, HHS states that it would interpret “reproductive health care” to include, but not be limited to: contraception, including emergency contraception; preconception screening and counseling; management of pregnancy and pregnancy-related conditions, including pregnancy screening, prenatal care, miscarriage management, treatment for preeclampsia, hypertension during pregnancy, gestational diabetes, molar or ectopic pregnancy, and pregnancy termination; fertility and infertility diagnosis and treatment, including assisted reproductive technology and its components (e.g., in vitro fertilization (IVF)); diagnosis and treatment of conditions that affect the reproductive system (e.g., perimenopause, menopause, endometriosis, adenomyosis); and other types of care, services, and supplies used for the diagnosis and treatment of conditions related to the reproductive system (e.g., mammography, pregnancy-related nutrition services, postpartum care products).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide